Skip to content

v0.9.0 — untrusted-content envelope + calibrated risk scoring

Choose a tag to compare

@fivetaku fivetaku released this 28 Jun 04:54

Prompt-injection surface hardening for fetched public web content.

  • Content-safety envelope: fetched text is annotated untrusted_public_web, reports deterministic injection-risk signals, and the default CLI wraps content between collision-resistant [BEGIN/END UNTRUSTED WEB CONTENT] boundary lines. Python callers still get raw FetchResult.content; use FetchResult.to_untrusted_text() for the safe agent-facing form. JSON output stays content-free + metadata only. Mitigation/packaging boundary, not complete prevention. (#5, thanks @datell1357)
  • Risk-score calibration: a lone topical keyword (secret/token/password) no longer escalates to medium; keyword-only signals without an explicit instruction-override cap at medium instead of high. high is reserved for an instruction-override paired with a sensitive action — verified against real pages (Wikipedia/MDN/Django/Stripe docs) so the label stays meaningful.

U8 regression suite: 11 passed.